The present invention relates to a method for protecting a network against a security attack from an user, and in particular, for a layer 2 switch, against a MAC flooding attack, in which the MAC flooding attack floods the layer 2 switch with at least one packet, a database is provided which saves a MAC address and its allocation and the database has a maximum quantity, according to the preamble part of claim 1.
Such a method is known in the prior art.
MAC address is short for Media Access Control address. It is a hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sublayers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network medium. Consequently, each different type of network medium requires a different MAC layer.
Layer 2 refers to the Data Link layer of the commonly-referenced multilayered communication model, Open Systems Interconnection (OSI). The Data Link layer is concerned with moving data across the physical links in the network.
In a network, the switch is a device that redirects data messages at the layer 2 level, using the destination Media Access Control (MAC) address to determine where to direct the message.
Nowadays, layer 2 networks, as part of the Internet or of different providers and access networks, are mainly based on Ethernet technology. The nodes of an Ethernet network are represented by worldwide unique MAC addresses.
A plurality of attacks e.g. on the Internet starts with so called “MAC flooding” attacks from the direction of the attacker. Thereby, the layer 2 network is flooded with packets which contain an excessively high number of different MAC addresses. Layer 2 switches learn MAC addresses. That is, they save the allocation “MAC address to switch port” for a certain amount of time, in order to use this information for the forwarding to the correct switch port. As long as the MAC address is unknown, a packet has to be forwarded or abolished. The database which saves the MAC addresses and their allocation, further called Forwarding Database (FDB), has a physical maximum quantity. When the limit of the maximum quantity is reached and when new addresses appear, either older addresses have to be deleted, or no additional MAC addresses will be learned
MAC flooding attacks use this effect. While flooding the network with different MAC addresses the limit of the FDB is reached. The frames towards all switch ports are flooded.
Thus, the attacker is also able to receive packets that are not addressed to him. He thereby gets information which could be used as a basis for further attacks.
In the case, when the switch deletes packets, in the case of unknown MAC addresses, Denial of Service (DoS) is reached. That is, the work of the switch is disrupted and other participants are affected.
Because of MAC flooding, software based MAC learning could lead to an overload of the CPU.
With the increasing use of the Ethernet technology in access networks as part of the provider nets the problem even expands. The user, at the boarder of the access network, must be seen as an user who needs to be protected as well as a possible attacker.
A prior art method of layer 2 switches for protecting against MAC flooding attacks, is by just allowing a limited number of MAC addresses per switch port and by not saving every further MAC address in its database (FDB), when reaching the limit in this port.
A further means are static entries. When the MAC addresses or address areas to special ports are known, they can be entered statically per configuration and the learning of these ports can be turned off.
When it's known, that in the normal case special ports do not communicate with each other, the forwarding between the ports can be basically turned off. This method is also called “port isolation”.
A further often used method is the separation of the layer 2 network into so called “broadcast domains”. That is, the layer 2 nets are separated into sections and just within these sections, forwarding, on the basis of the layer 2 addressing, is possible. A method is e.g. the layer 2 VLAN according to IEEE 802.1Q.)
However, the above described prior art methods, Port Isolation, VLAN Separation and limiting of the MAC addresses to be learned, protect just the node itself. The packets, which had actually already been identified as dangerous, reach further into the network and reach subsequent net nodes and net users respectively.